Rochester Institute of Technology RIT Scholar Works Theses 4-5-2008 Automated processes for Sarbanes-Oxley risk management in a UNIX environment Matthew Bahrenburg Follow this and additional works at: https://scholarworks.rit.edu/theses Recommended Citation Bahrenburg, Matthew, "Automated processes for Sarbanes-Oxley risk management in a UNIX environment" (2008). Thesis. Rochester Institute of Technology. Accessed from This Thesis is brought to you for free and open access by RIT Scholar Works. It has been accepted for inclusion in Theses by an authorized administrator of RIT Scholar Works. For more information, please contact [email protected]. Automated Processes for Sarbanes-Oxley Risk Management in a UNIX Environment Prepared by: Matthew Bahrenburg Document Version: 1 . 1 Last Update On: 04/05/2008 Masters Thesis 5/22/2008 Rochester Institute of Technology B. Thomas Golisano College of Computing and Information Sciences Master of Science in Computer Security and Information Assurance Thesis Approval Form Student Name: Matthew Bahrenburg Thesis Title: Automated Processes for Sarbanes-Oxley Risk Management in a UNIX Environment Thesis Committee Name Signature Date 5-14-or S-/I../-oY' Committee Member -k" ~I ;}" l~O'\I Committe Member Thesis Reproduction Permission Form Rochester Institute of Technology B. Thomas Golisano College of Computing and Information Sciences Master of Science in Computer Security and Information Assurance Automated Processes for Sarbanes-Oxley Risk Management in a UNIX Environment I, Matthew Bah:r;enburg, . J' hereby grant permission to the Wallace Library of the Rochester Institute of Technology to reproduce my thesis in whole or in part. Any reproduction must not be for commercial use or profit. Date: OJ ... I 5''' OR Signature of Author: TABLE OF CONTENTS MASTER'S THESIS 5 1 Introduction 5 2 Sarbanes-Oxley Act of 2002 5 2. 1 COBIT Framework for Internal Controls 7 2.1.1 Plan & Organized 8 2.1.2 Acquire & Implement 8 2.1.3 Deliver & Support 9 2.1.4 Monitor & Evaluate 9 3 Risk Assessment 9 3 . 1 Risk Management 1 1 3.1.1 Risk Management - Personal Recommendation 1 2 4 Security Best Practices 12 5 Change Management 16 5.1 Change Management -Personal Recommendation 18 6 Account Provisioning and Controls 20 6. 1 Identity Management Systems 2 1 6.1.1 User Identity Management 23 6. 1 .2 User Identity Management Systems: Application Accounts 24 6. 1 .3 System Accounts 25 6.1.4 Identity Management Summation 26 6.2 Account Access Controls 26 7 UNIX File Permissions 27 7. 1 UNIX File Permissions Overview 27 7.2 File Sharing 30 7.3 Proper Configuration 32 8 Password Management 34 8 . 1 Password Request Problems 35 9 Privileged Access Management 36 9.1 Symark PowerBroker 36 9.2 Role Based Access Control (RBAC) 38 9.3 Mandatory Access Control (MAC) 38 9.4 SUDO 39 10 Logging and Reporting 42 1 1 Total Integration 44 11.1 User Identity Management/Password Management Integration 45 11.2 User Identity Management/Change Management Integration 46 11.3 Change Management/Password Management Integration 46 Masters Thesis 5/22/2008 1 1 .4 Change Management/Privileged Access Management Integration 48 11.5 Privileges Access Management/Logging & Reporting Integration 50 11.6 User Identity Management/Privileges Access Management 54 1 1 .7 User Identity Management/Active Directory Integration 55 11.8 Final Workflows 56 11.8.1 Access Grants/Removals 56 1 1 .8.2 User Initiated Changes 57 12 System Demonstration 60 12.1 Change Management Configurations 6 1 1 2.2 UNIX Privileged Access linked to Change Management 62 12.3 Active Directory Configuration 65 12.4 Linking Log Messages to Active Directory 68 12.5 Automated Report Generation 70 13 Documentation & Policies 72 13.1 Documentation 72 13.2 Policies 73 14 Training 74 14.1 System Training 74 14.2 Basic Security Training 75 15 Testing 75 16 Conclusion 76 17 References 77 Masters Thesis 5/22/2008 1 Introduction Over the years, the use of computers for financial and health related activities has grown exponentially. To ensure the integrity ofthe data produced by these activities, governments have begun setting regulations such as Sarbanes-Oxley as a broad outline to help mitigate risk oftheft or manipulation. These policies however allow for multiple interpretations that can cause confusion within an organization. This provides difficulty when evaluating acceptable controls and resources required to comply with government standards. Through my research, I found it very difficult to find information that could provide in-depth technical guidance to meet compliance regulations, or research in the integration of available solutions into a complete automated system for control and auditing. I found many tools and papers available to aid with "security best practices", identity management, privileged access control, auditing, etc, yet nothing to pull this information together [7] [8] [9] [ 1 0] [ 1 1 ] [ 1 2] [ 1 3] [ 1 4] [ 1 5] [ 1 6] [20] [23] . Even guidance frameworks such as COBIT[24] or COSO[25] do not provide technical specifications or integration. I have therefore designed a unique and automated approach for compliance remediations, focusing on the implementation ofpreventative and detective controls in a UNIX environment. 2 Sarbanes-Oxley Act of 2002 Due to multiple scandals and financial misrepresentations ofpublicly traded companies, investors Sarbanes- lost billions of dollars and began to lose faith in the national stock market. As a result, the Masters Thesis Page 5 5/22/2008 Oxley Act of 2002 was created to force publicly traded companies to provide reasonable assurance that their financial statements were not fraudulent. The Sarbanes-Oxley Act provides reasonable assurance that fraudulent activity has not and will not occur in many ways. It mandates the creation of an auditing oversight board that will ensure the company meets current government standards. It defines the role for auditors responsible for analyzing financial statements and internal controls. It defines corporate responsibility to meet these regulations as well as places accountability on upper management ifthey are not met. Upper management can suffer monetary losses and even be imprisoned if controls are not met or fraudulent activity is detected. Finally, public financial disclosure is required. If a company fails to meet government regulations, this information will become public knowledge and could drastically affect stock prices and future growth of the company. The Sarbanes-Oxley act has been divided into 1 1 sections, each containing multiple subsections. Section 404 will be the primary focus ofthis thesis since it provides the most impact to IT Departments. It states: Section 404 Management Assessment OfInternal Controls (a) RULES REQUIRED- The Commission shall prescribe rules requiring each annual report required by section 13 of the Securities Exchange Act of 1934 (15 U.S.C. 78m) to contain an internal control report, which shall- (1) state the responsibility ofmanagement for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and most recent fiscal year of of (2) contain an assessment, as of the end ofthe the issuer, the effectiveness ofthe internal control structure and procedures ofthe issuer for financial reporting. REPORTING- (b) INTERNAL CONTROL EVALUATION AND With respect to the internal control assessment required by subsection (a), each registered public accounting Masters Thesis Page 6 5/22/2008 firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement [4]. Essentially, it is management's responsibility to implement and evaluate internal controls for systems that in some way house or process financial data. As you can see, the actual implementation for these internal controls are not defined and therefore left to interpretation. Typically, organizations rely on frameworks such as The Committee of Sponsoring Organizations ofthe Treadway Commission framework [25] or the Control Objects for Information and related Technology Framework [24] to provide additional guidance in these areas [17]. These frameworks however also lack a technical implementation and simply provide an overview ofcontrol best practices. 2.1 COBIT Framework for Internal Controls Control Objectives for Information and related Technologies (COBIT) was created as an IT controls framework that fits with and supports the Committee of Sponsoring Organizations ofthe Treadway Commission (COSO) Internal Control - Integrated Framework, the widely accepted control framework for enterprise governance and risk management [24]. The COBIT framework, compiled from the a foundation ofbest practices consensus of experts, is designed to support IT governance by providing in a manageable and logical structure. The framework is particularly focused on controls and processes, effective in and less on the technical implementation. This allows the framework to be many on the organization's while still organizations where technical implementations vary depending needs, providing a reasonable amount of guidance. The COBIT framework has been broken down into four logical sections discussed below. 5/22/2008 Masters Thesis Page 7 2.1.1 Plan & Organize The Plan & Organize section of COBIT is the first step for remediation efforts. It provides an outline of how to perform a risk assessment, determine a strategic plan for remediation, and to devise project plans to ensure remediation efforts are completed on time and to specifications. This thesis covers many parts of this section (PO01, PO02, PO03, PO09, and PO10) by discussing risk assessment and an overall strategic plan for remediation. 2.1.2 Acquire & Implement The Acquire & Implement section of COBIT is the second step for remediation efforts. It provides an outline ofhow to identify areas better served by automated solutions, to manage changes, and proper procedures to install automated solutions and change management.